b'\t\t\n\t\n\t\n\t\n\t\n        ASSESSMENT\tREPORT\t\n              14\xe2\x80\x9019\t\n                 \t\n\n\t\n                   \t\n                   \t\n     Federal\tPKI\tCompliance\tReport\t\n          September\t12,\t2014\t\n                   \t\n\t\n\t\n\t\n\n                   \t\n\t\n\t\n\t\n\t\n\x0cDate\t \t\nSeptember\t12,\t2014\t\nTo\t     \t\nChief\tInformation\tOfficer\t\nFrom\t\nInspector\tGeneral\t\nSubject\t\nAssessment\tReport\t\xe2\x80\x90\tFederal\tPKI\tCompliance\tReport\t\nReport\tNumber\t14\xe2\x80\x9019\t\n\t\nEnclosed\tplease\tfind\tthe\tsubject\tfinal\treport.\t\tThe\tOffice\tof\tthe\tInspector\tGeneral\t\nadministered\ta\tcontract\twith\tErnst\t&\tYoung\tLLP\t(E&Y)\tto\tprovide\ta\tcompliance\t\nreport\tof\tGPO\xe2\x80\x99s\tPublic\tKey\tInfrastructure\t(PKI)\tfor\tJuly\t1,\t2013\tthrough\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\nJune\t30,\t2014.\t\tE&Y\tconducted\ttheir\twork\tin\taccordance\twith\tattestation\tstandards\t\nestablished\tby\tthe\tAmerican\tInstitute\tof\tCertified\tPublic\tAccountants.\t\t\n\t\nE&Y\tconcluded\tthat\tGPO\xe2\x80\x99s\tassertion\tis\tfairly\tstated\tin\tall\tmaterial\trespects.\t\tE&Y\talso\t\nissued\ta\tLetter\tof\tSupplementary\tInformation,\tconcluding\tthat\tthe\tGPO\tPrincipal\t\nCertification\tAuthority\tCertificate\tPractices\tStatement\tconformed\tin\tall\tmaterial\t\nrespects\tto\tthe\tGPO\xe2\x80\x90Certificate\tAuthority\tand\tFederal\tPKI\tcommon\tpolicies.\t\tE&Y\tis\t\nresponsible\tfor\tthe\tattached\treport\tand\tthe\topinion\texpressed\ttherein.\t\t\t\n\t\n We\tappreciate\tthe\tcourtesies\textended\tto\tE&Y\tand\tto\tour\taudit\tstaff.\t If\tyou\thave\t\n any\tquestions\tor\tcomments\tabout\tthis\treport,\tplease\tdo\tnot\thesitate\tto\tcontact\t\t\t\t\t\n Mr.\tJeffrey\tC.\tWomack,\tAssistant\tInspector\tGeneral\tfor\tAudits\tand\tInspections\tat\t\n (202)\t512\xe2\x80\x902009\tor\tme\tat\t(202)\t512\xe2\x80\x900039.\t\n\n\n                                      \t\nMichael\tA.\tRaponi\t\t\nInspector\tGeneral\t\t\n\t\nEnclosure\t\t\ncc:\t\t\nPublic\tPrinter\t\nDeputy\tPublic\tPrinter\t\t\nGeneral\tCounsel\t\nChief\tof\tStaff\t\nChief\tAdministrative\tOfficer\t\n\x0cU.S. Government\nPrinting Office\n\nReport of Independent Accountants\nFederal PKI Compliance Report\nFor the Period July 1, 2013 to June 30, 2014\n\x0c                                           Table of Contents\n\n\nReport of Independent Accountants ....................................................................... 1\nManagement Assertion ......................................................................................... 2\nLetter of Supplementary Information ..................................................................... 5\nSummary of Matters Relating to Project Personnel .................................................. 7\n\n\n\n\n1308-1122712\n\x0c                                        Ernst & Young LLP           Tel: +1 703 747 1000\n                                        Westpark Corporate Center   Fax: +1 703 747 0100\n                                        8484 Westpark Drive         ey.com\n                                        McLean, VA 22102\n\n\n\n\n                                                Report of Independent Accountants\n\n   We have examined the assertion, dated August 21, 2014, by the management of the United\n   States Government Printing Office (\xe2\x80\x9cGPO\xe2\x80\x9d), that GPO\xe2\x80\x99s Certification Authority (GPO-CA)\n   complied with certain requirements of its Certificate Policy (CP), Version 1.3.1 dated\n   August 17, 2009 and its Certificate Practices Statement (CPS) Version 1.7.3 dated April 18,\n   2014 for the GPO Principal Certificate Authority (GPO-PCA) and its Certificate Practices\n   Statement Version 1.7.4 dated April 18, 2014 for the GPO Subordinate Certificate Authority\n   (GPO-SCA) for the period July 1, 2013 to June 30, 2014, as well as the requirements of the\n   Federal PKI Authority and all current cross-certification Memorandum of Agreements (MOAs)\n   executed by the GPO with other entities.\n\n   Management of the GPO is responsible for its compliance with those requirements. Our\n   responsibility is to express an opinion on management\xe2\x80\x99s assertion about the GPO\xe2\x80\x99s\n   compliance based on our examination.\n\n   Our examination was conducted in accordance with attestation standards established by the\n   American Institute of Certified Public Accountants and accordingly, included examining, on a\n   test basis, evidence about GPO-CA\xe2\x80\x99s compliance with those requirements and performing\n   such other procedures as we considered necessary in the circumstances. We believe that our\n   examination provides a reasonable basis for our opinion. Our examination does not provide a\n   legal determination on GPO-CA\xe2\x80\x99s compliance with specific requirements.\n\n   In our opinion, for the period from July 1, 2013 through June 30, 2014, GPO management\xe2\x80\x99s\n   assertion, as set forth in the first paragraph, is fairly stated, in all material respects.\n\n   This report is intended solely for the information and use of the GPO and the U.S. Federal PKI\n   Policy Authority and is not intended to be and should not be used by anyone other than those\n   specified parties.\n\n\n\n\n   August 21, 2014\n\n\n\n\n                                                                                                1\nA member firm of Ernst & Young Global Limited\n\x0c\x0c\x0c\x0c                                        Ernst & Young LLP           Tel: +1 703 747 1000\n                                        Westpark Corporate Center   Fax: +1 703 747 0100\n                                        8484 Westpark Drive         ey.com\n                                        McLean, VA 22102\n\n\n\n\n                                                                                           August 21, 2014\n\n\n                                                Letter of Supplementary Information\n\n   To the Inspector General of the United States Government Printing Office and the\n   Management of the United States Government Printing Office Certification Authority\n   (GPO CA):\n\n   This letter provides supplementary information to the examination performed by\n   Ernst & Young LLP of the assertion by the management of the GPO-CA regarding the\n   certification authority services it provides at http://www.gpo.gov/projects/pki.htm.\n\n   Management\xe2\x80\x99s assertions were based on the American Institute of Certified Public\n   Accountants (AICPA)/Canadian Institute of Chartered Accountants WebTrust for Certification\n   Authorities criteria. GPO-CA\xe2\x80\x99s management was responsible for its assertion. Our\n   responsibility was to express an opinion on management\xe2\x80\x99s assertion based on our\n   examination.\n\n   Our examination was conducted in accordance with attestation standards established by\n   the AICPA and, accordingly, included examining, on a test basis, evidence about GPO\xe2\x80\x99s\n   compliance with those requirements and performing such other procedures as we considered\n   necessary in the circumstances. We believe that our examination provides a reasonable basis\n   for our opinion. Our examination does not provide a legal determination on GPO-CA\xe2\x80\x99s\n   compliance with specified requirements.\n\n   The period for this examination was from July 1, 2013 through June 30, 2014. Our\n   examination was performed between March 26, 2014 and July 30, 2014.\n\n   We examined the Certificate Policy (CP) for the GPO-CA version 1.3.1, dated August 17,\n   2009, the Certification Practices Statement (CPS) for the GPO Principal Certification\n   Authority (GPO-PCA) version 1.7.3, dated April 18, 2014 and the Certificate Practices\n   Statement for the GPO Subordinate Authority (GPO-SCA) version 1.7.4 dated April 18, 2014.\n   Multiple Root CAs were not in operation at GPO-CA.\n\n   Our examination included, through our testing of management\xe2\x80\x99s assertion, the evaluation of\n   GPO-CA\xe2\x80\x99s operations for conformance to the requirements of its CPSs and the evaluation of\n   GPO-CA\xe2\x80\x99s operations for conformance to the requirements of all current cross-certification\n   Memorandum of Agreements (MOAs) executed by the GPO-CA with other entities. In our\n   Report of Independent Accountants dated August 21, 2014, we reported that management\xe2\x80\x99s\n   assertion was fairly stated in all material respects.\n\n\n\n\n                                                                                                             5\nA member firm of Ernst & Young Global Limited\n\x0c   We have compared the CPS for the GPO-PCA version 1.7.3, dated April 18, 2014, for\n   conformance to the CP for the GPO-CA version 1.3.1, dated August 17, 2009. We have also\n   compared the CPS for the GPO-SCA version 1.7.4, dated April 18, 2014, for conformance to\n   the CP for the GPO-CA version 1.3.1, dated August 17, 2009. We found, in all material\n   respects, that the GPO-PCA CPS and the GPO-SCA CPS are in conformance with GPO-CA CP.\n\n   We have compared the CPS for the GPO-PCA version 1.7.3, dated April 18. 2014 and the CPS\n   for the GPO-SCA version 1.7.4, dated April 18, 2014 for conformance to the FPKI Common\n   Policy. For this analysis we utilized the Framework Certification Practice Statement Evaluation\n   Mapping Matrix, Version 2.8 (September 22, 2010). We found, in all material respects, that\n   the GPO-PCA CPS and the GPO-SCA CPS are in conformance with the requirements of the\n   FPKI Common Policy.\n\n   We are independent of the GPO for the professional engagement period as required by the\n   AICPA Professional Standards.\n\n\n\n\n                                                                                                 6\nA member firm of Ernst & Young Global Limited\n\x0c                                        Ernst & Young LLP           Tel: +1 703 747 1000\n                                        Westpark Corporate Center   Fax: +1 703 747 0100\n                                        8484 Westpark Drive         ey.com\n                                        McLean, VA 22102\n\n\n\n\n                                                                                           August 21, 2014\n\n                                                Summary of matters related to project personnel\n                                                      provided by Ernst & Young LLP\n\n   To the Inspector General of the United States Government Printing Office and the\n   Management of the United States Government Printing Office Certification Authority\n   (GPO-CA):\n\n   The GPO Office of Inspector General (OIG) has asked Ernst & Young LLP (EY or we) to provide\n   certain information to assist in its efforts to provide the Federal Public Key Infrastructure\n   Policy Authority (FPKIPA) with information about the individuals who performed work as part\n   of the WebTrust for Certification Authority (WTCA) examination services; these services are\n   performed in accordance with relevant American Institute of Certified Public Accountants\n   (AICPA) standards. The FPKIPA sets policy governing operation of the U.S. Federal PKI\n   Infrastructure, composed of: the Federal Bridge Certification Authority (FBCA); the Federal\n   Common Policy Framework Certification Authority (CPFCA); the Citizen and Commerce Class\n   Common Certification Authority (C4CA) and the E-Governance Certification Authority. EY\n   makes no representation regarding the sufficiency of this information for the purposes for\n   which this information was requested. That responsibility rests solely with the FPKIPA.\n\n   Educational level and professional experience\n\n   Client serving personnel (Professionals) EY has provided to the Agency have received a degree\n   from an accredited college or university (or its equivalent if the individual was educated\n   outside of the United States). Certain individuals may also have advanced degrees. The\n   majority of Professionals provided to the Agency are part of EY\xe2\x80\x99s Advisory Services (AS)\n   service line. Recruiting efforts for the AS practice focuses on candidates with information\n   technology, accounting, finance and other business-related degrees. Hiring activities and\n   types of Professionals hired into each EY service line, including Assurance and Tax, are\n   generally the same as similar service lines and personnel of Deloitte, PwC and KPMG (who\n   along with EY, are the Big Four).\n\n   The experience levels of Professionals provided will vary based upon various factors including\n   age and length of time the individual has worked since receiving their degree. The amount of\n   professional experience of Professionals may not solely be related to a person\xe2\x80\x99s employment\n   period with EY, as EY normally hires a combination of experienced Professionals and\n   Professionals who recently graduated from a college or university. In most cases, the\n   experience level within a rank classification of EY Professionals is generally the same as the\n   other Big Four.\n\n\n\n\n                                                                                                             7\nA member firm of Ernst & Young Global Limited\n\x0c   Methodologies, policies and procedures\n\n   EY Professionals carrying out WTCA examinations are required to comply with policies and\n   procedures within the EY Global Advisory Quality Guide (\xe2\x80\x9cthe Guide\xe2\x80\x9d) and related\n   methodologies. In those cases where we do not perform work directly under the supervision\n   and responsibility of Agency personnel as part of an engagement to provide loan staff, and we\n   provide management with our findings and recommendations in those areas where we observe\n   internal controls that, in our view, could be improved, the Guide requires the work and any\n   reports or deliverables to be in accordance with the Statement on Standards for Consulting\n   Services (CS100) of the AICPA. The initial adoption of, and any subsequent changes in,\n   policies and procedures have been reviewed and approved by EY\xe2\x80\x99s Professional Practice group.\n\n   Professional certification and continuing education\n\n   EY encourages its Professionals to obtain a professional certification. In certain service lines,\n   obtaining a professional certification is a requirement for promotion. Individuals in AS are\n   required to obtain a professional certification to be promoted to Manager. In the AS service\n   line, the most common certifications are Certified Public Accountant (CPA) (or its equivalent in\n   other countries), Certified Internal Auditor (CIA) as recognized by the Institute of Internal\n   Auditors, Certified Information Systems Auditor (CISA) as recognized by ISACA, or Certified\n   Management Accountant (CMA) as recognized by the Institute of Management Accountants.\n\n   The continuing professional education requirements of the SEC (Securities and Exchange\n   Commission) Practice Section of the AICPA Division for CPA firms are the foundation of EY\xe2\x80\x99s\n   professional development policy. Participation in professional development programs is\n   measured in units of continuing professional education (CPE) credit hours earned in our\n   educational year. EY\xe2\x80\x99s educational year is July 1 through June 30. The EY policy for\n   compliance is as follows:\n\n   \xe2\x80\xa2 Commencing with the first full educational year of employment, each professional must\n     obtain at least 20 CPE credit hours each year and at least 120 CPE credit hours during the\n     most recent three-year period.\n\n   \xe2\x80\xa2 Professionals who were not employed during the entire most recent educational year are\n     not required to earn continuing professional education credits in that year.\n\n   \xe2\x80\xa2 Professionals who were employed during the entire most recent educational year, but not\n     during the entire most recent two educational years, are required to have participated in at\n     least 20 hours of qualifying continuing professional education during the most recent\n     educational year.\n\n   \xe2\x80\xa2 Professionals who were employed during the entire most recent two educational years, but\n     not during the entire most recent three educational years, are required to have participated\n     in at least 20 hours of qualifying continuing professional education during each of the two\n     most recent educational years.\n\n\n\n\n                                                                                                  8\nA member firm of Ernst & Young Global Limited\n\x0c   Professionals who hold a professional designation or certification other than the CPA\n   certification (e.g., CIA, attorney at law, CISA, CMA) may be subject to continuing education\n   requirements as part of that designation or certification. Completion of courses to meet these\n   requirements may be used to meet the firm\xe2\x80\x99s CPE requirements as long as the courses also\n   meet the requirements of the AICPA\xe2\x80\x99s SEC Practice Section.\n\n   Experience Auditing PKI Systems\n\n   The EY executive team assigned to the GPO project has experience in performing audits and\n   implementation of PKI systems and IT security. In addition, certain team members also have\n   participated in a number of other commercial PKI and WebTrust for CA examinations both as a\n   team member and as a quality reviewer. We have incorporated consultations with other EY\n   personnel who represent the firm on the AICPA WebTrust Task Force. EY\xe2\x80\x99s client roster for PKI\n   projects for governmental agencies other than the GPO includes other US federal agencies as\n   well as foreign governmental monetary organizations.\n\n   We are available if you need any additional information or would like to further discuss this\n   memorandum.\n\n\n\n\n                                                                                                   9\nA member firm of Ernst & Young Global Limited\n\x0cSummary information for EY executives assigned to the engagement\n                                                                         In compliance with\n                                                             Years of       EY CPE policy\nName                        Rank        Certifications      experience        (Yes/No)\n                                        CA (Switzerland),\nWerner Lippuner      Principal                                     25           Yes\n                                        CISA, CISM\nJames Merrill        Executive Director CPA, CISA                  32           Yes\n                                        CISSP, CPA, CISA,\nBruce Hamilton       Senior Manager                                33           Yes\n                                        CISM\nStaci Angel          Senior Manager     CISA                       10           Yes\n\n\n\n\n                                                                                      10\n\x0cEY | Assurance | Tax | Transactions | Advisory\n\n\nAbout EY\nEY is a global leader in assurance, tax, transaction and advisory\nservices. The insights and quality services we deliver help build trust\nand confidence in the capital markets and in economies the world\nover. We develop outstanding leaders who team to deliver on our\npromises to all of our stakeholders. In so doing, we play a critical role\nin building a better working world for our people, for our clients and\nfor our communities.\nEY refers to the global organization and may refer to one or more of\nthe member firms of Ernst & Young Global Limited, each of which is a\nseparate legal entity. Ernst & Young Global Limited, a UK company\nlimited by guarantee, does not provide services to clients. For more\ninformation about our organization, please visit ey.com.\nErnst & Young LLP is a client-serving member firm of\nErnst & Young Global Limited operating in the US.\n\xc2\xa9 2014 Ernst & Young LLP.\nAll Rights Reserved.\nBSC No. 1408-1307304\nED none\n\x0c'